Firewall Wizards mailing list archives
RE: Checkpoint VPN
From: David West <davidawest () gmail com>
Date: Wed, 20 Jul 2005 15:39:17 +1000
Sounds like your ike/udp is fragmenting somewhere between the client and your firewall. This almost always occurs with x.509 certificate authentication as the cert is too big for a standard Ethernet frame and dropeed by many cable/dsl routers. Try using ike/tcp. On your gateway(s) enable support IKE over TCP in global properties and by enable the following on in SecureClient for your sites profile: + Connectivity enhancements + Use NAT traversal tunneling - IKE over TCP - Force UDP encapsulation David -----Original Message----- From: QTR [mailto:tmwhitm () gmail com] Sent: Wednesday, 13 July 2005 12:09 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Checkpoint VPN Hello, I was wondering if someone could point me in the right direction. I have come off a long run of managing Cyberguard firewalls and am now in the Checkpoint realm, so forgive my ignorance. I am having an issue with secure client. I have several SoHo users whose default routers place them on a 172.16.0.0 network. These users cannot connect to the gateway. Dumps on the checkpoint fw gateway show no incoming packets and a dump on the client show udp 500 leaving the client, which leads me to the router/firewall @ the SoHo. Router makes vary, anywhere from 2wire to netgear, the result is the same. I initially thought it had something to do with the routing topology since our topology pushes a static route for a 172 network, but I had the SoHo router changed to a 10 network that is statically routed in the topology and that worked fine. At this point I am at a loss. Any suggestions would be appreciated. Thank you, _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Checkpoint VPN QTR (Jul 19)
- <Possible follow-ups>
- RE: Checkpoint VPN David West (Jul 21)
- Re: Checkpoint VPN QTR (Jul 21)